Managing Serviceguard 12th Edition, March 2006
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5 197
— MONITOR
— FULL_ADMIN
— PACKAGE_ADMIN
MONITOR and FULL_ADMIN can only be set in the cluster configuration
file and they apply to the entire cluster. PACKAGE_ADMIN can be set in
the cluster or a package configuration file. If it is set in the cluster
configuration file, PACKAGE_ADMIN applies to all configured packages.
If it is set in a package configuration file, PACKAGE_ADMIN applies to
that package only.
NOTE You do not have to halt the cluster or package to configure or modify
access control policies.
Here is an example of an access control policy:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
If the policies are defined in the cluster configuration file, it grants the
PACKAGE_ADMIN role for any package to user john from node bit.
If this policy is defined in the package configuration for PackageA, then
user john from node bit has PACKAGE_ADMIN role only for PackageA. User
john also has the MONITOR role for the entire cluster.
You will not be allowed to configure roles that conflict, except in the case
of “wildcards”; it is acceptable for ANY_USER and john to be given
different roles. Serviceguard will fail applying the configuration with an
error if you enter conflicting roles.
For example, consider what would happen if these entries were in the
cluster configuration file:
# Policy 1:
USER_NAME john
USER_HOST bit
USER_ROLE PACKAGE_ADMIN
# Policy 2:
USER_NAME john
USER_HOST bit
USER_ROLE MONITOR